Product Documentation

Configuring Applications Access Policies

Oct 20, 2015

When you deploy a software inventory package to a device, Device Manager maintains the list of apps. You can work from those lists to configure Applications Access Policies, also known as application blacklists and whitelists, to manage users' access to applications on their devices.

You can also use the Applications Access Policies in the following ways:

  • As triggers for Automated Actions. For example, if Device Manager detects that a device has an unapproved app installed, you can configure an Automated Action that remotely wipes a device, or sends a notification to the user that the user's device is out of compliance with the organization's policy.
  • To serve as device status flags for the Secure Mobile Gateway rules. For example, if Device Manager detects that a device has an unapproved app installed, you can configure the Secure Mobile Gateway rules to block the device from receiving email from the organization. For more information, see Secure Mobile Gateway Policies and Rules.

Applications Access Policies Types

You can create the following types of Applications Access Policies:

  • Forbidden (blacklist). A list of apps that users cannot install on their devices. If even one app on device matches an app in the Forbidden list in Device Manager, the device is considered to be in violation of the policy.
  • Suggested (whitelist). A list of apps that you suggest to users. Users can have one or more of the apps from the list installed and still be in compliance with the policy. However, if users install an app that is not listed in the policy, the user's device is in violation of the policy.
  • Required (whitelist). A list of apps that must be installed on the device to be in compliance with the policy. Users must install all of the apps on the list. If users do not install any of the apps in the list, the device is in violation of the policy.

App Definitions

You have the option in Device Manager of using the App bundle ID and App package name when you define iOS and Android apps in your policies. Device Manager can identify apps more reliably, however, when you use these values.

In iOS, an App bundle ID is traditionally a reverse-domain-name style string used when a developer creates a new app. For example, for Angry Birds (www.rovio.com/), the App bundle ID on iOS is 'com.rovio.angrybirds'. On Android, an App package naming convention is similar to iOS, in which the developer identifies the app with a reverse-domain-name style string. The last part of the name is the name of the App package, often with the file extension appended to the end. For example, for Angry Birds, the App package name on Android is 'com.rovio.angrybirds.apk'.

To configure an Applications Access Policy

  1. In the Device Manager web console, click the Policies tab.
  2. On the left side of the console, under App Policies, Global > Applications Access Policies, click New Applications Access Policy.
  3. In the Add a new Applications Access Policy dialog box, enter a name for the policy, such as Forbidden iOS Apps and then optionally enter a description.
  4. In Access policy, click one of the following options:

    • Required (whitelist). Defines a list of apps that users are required to install on their device to be in compliance with the policy. If any of the apps is not installed, the device is in violation of the policy.
    • Suggested (whitelist). Defines a list of apps that are suggested to users. Users can have one or more of the apps from the list installed and still be in compliance with the policy. However, if the user installs any apps that are not listed in the policy, the device is in violation of the policy.
    • Forbidden (blacklist). Defines a list of apps that users should not install on their devices. If any apps on device match an app in the this list, the device is in violation of the policy.
  5. In OS type, select the device platform you want to associate with the policy.
  6. Click New app.
  7. In the Add a new application dialog box, enter the name of an app that you would like to add to the Applications Access Policy list. When you add an app, you can optionally enter the app bundle ID and app package name for iOS and Android. If you configure these fields, Device Manager uses the values to identify the app.
  8. Click Create. This will create the application in the list.

    The app appears in the list in the Add a new application dialog box.

  9. Click Create again to create the Application Access Policy. Once created, you can add this policy to a deployment package and deploy to the devices you want to manage.